We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Introduction of an information security management system certification system

January 8, 2013, the Korea Communications Commission (“KCC”) amended its two previous guidance notices – one concerning the certification of an information security management system (“ISMS”), and the other concerning measures for data protection – and issued a new guidance notice concerning pre-deployment information security evaluation, all pursuant to the Promotion of Information and Communications Network Utilization and Protection of Information Act of Korea, as amended.

The above guidance notices took effect from February 18, 2013, repealing a previous safety diagnosis system that was not practically effective, and instead certain measures for data protection (such as a uniform process through an ISMS certification system) are prescribed for enterprises to take to improve their data protection levels.

Especially, the guidance notice concerning an ISMS certification system requires certain major information and communications service providers (“ICSPs”) to pass an ISMS certification process, and they include:

Internet service providers (e.g., ISP);

Internet data centers (e.g., IDC); and

the ICSP, of which annual turnover from information and communications sector is 10 billion Korean won (“KRW”) or more, or which operates a website with 1 million or more daily users in average for the last 3 months of the immediately preceding calendar year.

A violation of the foregoing obligation regarding certification may entail an administrative fine of up to KRW 10 million. Thus, companies satisfying the above requirements must be aware of and perform the new obligation.

Related topic hubs

Compare jurisdictions: Data Security & Cybercrime

"I am a frequent reader of Lexology as it is an efficient and concise service. It is very relevant as a large part of these communications come from law firms, who have a clear interest in marketing their organizations expertise in key areas of business law"